Light Dark
August 17, 2023 By Jonathan Reed 4 min read
Risk Management

It’s no surprise that cyber criminals target high-profile individuals or those with access privilege. Malicious actors often use social engineering and whale phishing attacks against these people to breach systems. But households and family members of company executives may also be the target of cyberattacks. In some cases, such as sextortion attempts, criminals demand monetary payment.

There’s also a new trend where family members are being targeted, but the actors aren’t asking for money. Instead, attackers seek network access, passwords and requests to download files — all in an attempt to reach bigger targets and carry out wider attacks.

In short, modern company security should also include household security.

No perimeter to secure

If anything, the pandemic eliminated any notion of perimeter-based security. How many companies these days have employees connecting from a distance? How many businesses have hundreds, if not thousands, of devices connecting to their network? While the security risks are clear, 24/7 availability from any place on any device enables brands to stay competitive. And this means security must extend to all endpoints, human and machine, to secure a company’s network.

While we obsess over online security, threat actors might not stay limited to digital-only tactics. For example, cyber pro Reuven Aronashvili reported a case that involved the teenage son of an executive. The actors threatened to reveal that the teen was gay — something he had not shared with his family at the time — unless he installed some files on his home Wi-Fi network. Once the files were installed, the attacker could then target his mother, the executive.

The FBI has also released a warning about the rise of “sextortion” attacks. As per the FBI, “Sextortion occurs when someone threatens to distribute your private and sensitive material if their demands are not met.”

Sextortion and social engineering

Sextortion may be considered a type of social engineering attack. Most victims report that the aggressor makes initial contact through dating websites or apps. After gaining confidence, the fraudster lures the target to continue the conversation on a private messaging platform.

The actor then encourages the victim to exchange sexually explicit material. They might invite them to video chats or ask for explicit photos. Once the victim complies, the criminal begins to demand money to prevent the release of the photos or videos on social media. The attacker may also gain access to the victim’s social media or contact information and threaten to send the images to the victim’s family and friends.

As per Aronashvili, a new type of sextortion attack — to demand file download or network access — is growing rapidly. He said these attacks were unheard of as recently as 2021 when most sextortion attempts demanded a straightforward payout.

“Now, by asking for access and file downloads, attackers are seeking to use sextortion as the first step in reaching potentially larger targets, with potentially larger profits,” he said. Attackers may initially target family members to eventually attack the company, its suppliers or its customers, according to Aronashvili.

Family cyber awareness is company cyber awareness

The reality is that nefarious actors frequently target young people. For example, recent reports suggest that online grooming crimes are rising. This alone makes it essential to teach family and household members about cyber risks. Now, criminals are also grooming family members hoping to gain access to company networks. So when security teams think about cyber awareness, they should be talking to teams about security at home as well.

These intrusions get too close for comfort in some cases. For example, Mandiant Consulting CTO Charles Carmakal shared a story about a client who was being extorted. Carmakal said the client received flowers from the threat actor with a very polite but intimidating message.

“It’s a very different story if you’re an executive of the company, and your daughter is being harassed by a threat actor. Your desire to pay or your willingness to pay shoots up tenfold when you’re dealing with personal attacks,” Carmakal said.

Beware of gamer fraud

Cyberattacks against gamers have seen rapid growth recently. And Kaspersky Lab reported that cyberattacks on young gamers shot up 57 percent in 2022. As per the report, cyber criminals launched more than 7 million attacks on children, exploiting popular game titles in 2022.

Phishing pages target young players by mimicking global titles, such as Roblox, Minecraft, Fortnite and Apex Legends games. The report points out that to reach parents’ devices, cyber criminals lure children to fake game sites and phishing pages to download malicious files.

It was also reported that a common social engineering method involves offers to download popular cheats and mods for games. On some phishing sites, kids can access a manual on how to properly install a cheat. The manual may even include specific instructions about how to disable the antivirus before installing a file. Some young players may fall for this, so any malware they download can avoid detection on the infected device. And the longer the user keeps their antivirus, the more information the malware can collect from the victim’s computer.

The report also noted that children’s games attacked even included games for the youngest players, such as Poppy Playtime and Toca Life World. These games are designed for 3 to 8-year-old players.

Bring cyber awareness home

Internet access makes every person in a household a potential victim. Crimes like kidnapping or sexual abuse can occur due to social engineering grooming. Plus, company breaches can occur due to sloppy cyber hygiene at home.

The Kaspersky report offers the following advice (adapted for this article):

  • Show interest in your kids’ online activity. Sit down with them to watch their favorite series or listen to music tracks together.
  • Consider using parental control apps, especially for the younger people at home. Don’t forget to explain how the apps work and why they’re important for safety.
  • Teach kids that sensitive information should only be shared via messengers and only with people they know in real life. Be a role model and exhibit examples of good online behavior.
  • Spend time talking to your kids about online safety measures. Encourage them to ask before downloading anything. Pay attention to your own habits.
  • Make talks about cybersecurity more enjoyable and interesting by discussing them with your child through games and more engaging formats.

Cyber risk is more pervasive than ever — at work and at home. Educate yourself, your teams and your family. And stay secure.

 |  |  |  | 
Jonathan Reed
Freelance Technology Writer

More from Risk Management
November 20, 2023

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

November 14, 2023

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

November 2, 2023

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

October 27, 2023

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2023 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature